Add SSH rules for nftables on ginaz

1 files changed, 30 insertions, 0 deletions

diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix
index 625547d..3812f41 100644
--- a/hosts/ginaz/default.nix
+++ b/hosts/ginaz/default.nix
@@ -46,5 +46,35 @@
   services.openssh.settings.X11Forwarding = true;
   services.xserver.videoDrivers = [ "amdgpu" ];
 
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/ginaz.yaml;
+
+    secrets = {
+      "nftables/ssh" = {};
+    };
+  };
+
   system.stateVersion = "23.11";
+
+  systemd.services."nftables-extra" = {
+    description = "nftables extra firewall rules";
+    script = ''
+      ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+    '';
+    serviceConfig = {
+      RemainAfterExit = true;
+      Type = "oneshot";
+    };
+    unitConfig = {
+      ConditionPathExists = config.sops.secrets."nftables/ssh".path;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+  systemd.paths."nftables-extra" = {
+    pathConfig = {
+      PathExists = config.sops.secrets."nftables/ssh".path;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
 }